List Mantis is a service provided by Whale & Wave Digital Ltd, a company registered in England and Wales (company number [COMPANY NUMBER]), with its registered office at [REGISTERED ADDRESS] ("we", "us", "our").
We take your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions, contact us at hello@listmantis.com.
1. What we collect and why
Account information
When you create a List Mantis account, we collect:
- Email address — to authenticate your account, send alerts, and communicate with you about the service.
- Full name — to personalise your experience.
- Password — stored as a one-way bcrypt hash. We never store or see your plain-text password.
Legal basis: Performance of a contract (providing you with the service you signed up for).
Location data
Postcode and derived coordinates — you provide a UK postcode during onboarding and when creating searches. We geocode this to latitude/longitude to calculate distances to listings. We store the postcode, coordinates, and the search radius you choose.
We do not track your real-time location. We only use the location you explicitly provide.
Legal basis: Performance of a contract (location-based search is a core feature of the service).
Search and alert data
- Search configurations — keywords, filters, selected marketplaces, vehicle details, price ranges, and location radius.
- Alert history — listing data (title, price, image URL, seller location, source URL) matched to your searches, plus read/archived status.
- Vehicle data — for vehicle searches, we may store registration numbers, MOT history, mileage, and fuel type obtained from publicly available DVSA records.
Legal basis: Performance of a contract.
Payment information
We use Stripe to process payments. When you subscribe:
- We store: your Stripe customer ID and subscription status.
- We do not store: your card number, expiry date, or CVC. These are handled entirely by Stripe and never touch our servers.
Stripe's own privacy policy applies to the payment data they process: https://stripe.com/gb/privacy.
Legal basis: Performance of a contract (processing your subscription payment).
Device and push notification data
If you enable push notifications, we collect:
- Device push token — a unique identifier provided by Apple (APNs) or your browser (Web Push) that allows us to send notifications to your device.
You can disable push notifications at any time in your device settings or within the app under Settings > Notifications. When you disable them, we delete your push token from our records.
Legal basis: Consent (you actively opt in to push notifications).
Cookies and session data
We use the following cookies:
lm_session— a session cookie that keeps you logged in. It is HttpOnly, Secure, and SameSite=Lax. It expires after 7 days of inactivity.- CSRF token — a security cookie used to prevent cross-site request forgery attacks.
We do not use advertising cookies or third-party tracking cookies.
Analytics: We use [CONFIRM PROVIDER — e.g. Plausible or Fathom], a privacy-focused analytics tool that does not use cookies and does not collect personal data. It provides us with aggregate, anonymous usage statistics (page views, referral sources) with no individual tracking.
On this marketing website, we also store a single localStorage entry (lm_consent_v1) that records you've seen our cookie notice, so we don't show it on every page load. It stays on your device and is never sent to a server.
Legal basis: Legitimate interest (session cookies are essential to the functioning of the service); consent (analytics, where applicable).
Server logs
Our servers automatically record:
- IP address, request URL, timestamp, HTTP status code, and user agent.
Logs are retained for 30 days for security monitoring and debugging, then permanently deleted. We do not use log data for profiling or marketing.
Legal basis: Legitimate interest (security and service reliability).
2. How we use your data
We use your personal data to:
- Provide the service — run your searches, match listings, deliver alerts by email and push notification.
- Process payments — manage your subscription through Stripe.
- Communicate with you — service emails (account confirmation, password resets, alert notifications). We do not send marketing emails unless you opt in.
- Maintain security — detect abuse, enforce rate limits, prevent fraud.
- Improve the service — aggregate, anonymised usage data helps us understand which features are used and where the service can be improved.
We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party for their own marketing purposes.
3. Third-party services
We share data with the following third parties, solely to operate the service:
| Service | Data shared | Purpose |
|---|---|---|
| Stripe (stripe.com) | Email, Stripe customer ID | Payment processing |
| Hetzner (hetzner.com) | All service data (hosted on their servers) | Infrastructure / hosting |
| Netlify (netlify.com) | Marketing site traffic, beta signup form submissions | Marketing site hosting, form handling |
| Decodo (decodo.com) | Search queries (no personal data) | Proxy service for marketplace scraping |
| Google Gemini API | Listing images (no personal data) | Vehicle registration plate extraction |
| DVSA (gov.uk) | Vehicle registration numbers | MOT history lookup |
| [ANALYTICS PROVIDER] | None (cookieless) | Anonymous usage analytics |
| Apple APNs / Web Push | Device push token | Push notification delivery |
All third-party processors are bound by data processing agreements. Data is processed within the UK or EEA, or under appropriate safeguards (such as Standard Contractual Clauses) where processed outside these regions.
4. Data retention
| Data type | Retention period |
|---|---|
| Account data (email, name) | Until you delete your account |
| Search configurations | Until you delete the search or your account |
| Alert history | Until you delete your account |
| Cached listing images | 30 days from caching |
| Payment records | 7 years (UK tax/accounting obligations) |
| Push tokens | Until you disable notifications or delete your account |
| Server logs | 30 days |
| Session cookies | 7 days of inactivity |
When you delete your account, we permanently erase your personal data within 30 days, except where we are legally required to retain it (e.g., payment records for tax purposes).
5. Your rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data ("right to be forgotten").
- Restriction — ask us to limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent (e.g., push notifications), you can withdraw at any time.
To exercise any of these rights, email hello@listmantis.com. We will respond within one calendar month.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Phone: 0303 123 1113
6. Data security
We protect your data with:
- HTTPS (TLS) encryption for all data in transit.
- Bcrypt password hashing with a cost factor sufficient to resist brute-force attacks.
- CSRF token protection on all state-changing requests.
- HttpOnly, Secure, SameSite session cookies.
- Rate limiting on authentication and sensitive endpoints.
- Database access restricted to application servers only (no public access).
- Regular dependency audits (
npm audit).
No system is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the ICO within 72 hours as required by law.
7. Children
List Mantis is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
8. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you by email or by a notice within the app. The "last updated" date at the top of this page will always reflect the most recent version.
9. Contact
If you have any questions about this privacy policy or your personal data:
- Email: hello@listmantis.com
- Post: Whale & Wave Digital Ltd, [REGISTERED ADDRESS]
- ICO registration number: [ICO NUMBER]